CVE-2026-22742 Overview
CVE-2026-22742 is a Server-Side Request Forgery (SSRF) vulnerability in Spring AI's spring-ai-bedrock-converse module. The flaw resides in BedrockProxyChatModel when it processes multimodal messages containing user-supplied media URLs. Insufficient validation of these URLs allows an attacker to coerce the server into issuing HTTP requests to unintended internal or external destinations. The vulnerability affects Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3. The flaw is tracked under CWE-918: Server-Side Request Forgery.
Critical Impact
An unauthenticated attacker can leverage the vulnerable chat model to probe internal services, access cloud metadata endpoints, or exfiltrate data from systems otherwise unreachable from the public network.
Affected Products
- Spring AI spring-ai-bedrock-converse versions 1.0.0 to 1.0.4
- Spring AI spring-ai-bedrock-converse versions 1.1.0 to 1.1.3
- Applications embedding BedrockProxyChatModel for multimodal input processing
Discovery Timeline
- 2026-03-27 - CVE-2026-22742 published to NVD
- 2026-05-10 - Last updated in NVD database
Technical Details for CVE-2026-22742
Vulnerability Analysis
The vulnerability stems from how BedrockProxyChatModel handles multimodal user input. When a chat message includes media references such as image or document URLs, the model fetches those resources server-side before forwarding their contents to the Amazon Bedrock Converse API. The fetch logic does not validate URL schemes, hostnames, or destination IP ranges. An attacker who can submit prompts to a Spring AI application can therefore direct the server to retrieve arbitrary URLs of their choosing. The attack requires no authentication and no user interaction, and it crosses a trust boundary because the request originates from the application server rather than the attacker's host.
Root Cause
The root cause is missing input validation on URLs supplied through multimodal message content. The code accepts any URL passed by the caller and dispatches an outbound HTTP request without enforcing an allowlist of schemes or hosts, rejecting link-local and private address ranges, or limiting redirects. This pattern is the canonical SSRF anti-pattern described in [CWE-918].
Attack Vector
An attacker submits a multimodal chat request containing a crafted media URL. The Spring AI server resolves and fetches the URL using its own network identity. Targets include cloud instance metadata services such as http://169.254.169.254/latest/meta-data/, internal management interfaces, Kubernetes API endpoints, and otherwise firewalled microservices. Because the connection scope changes (CVSS S:C), the impact extends beyond the Spring AI process to adjacent systems that trust the server. Confidentiality impact is rated high while integrity and availability remain unaffected, indicating the primary risk is information disclosure such as theft of cloud IAM credentials.
// No verified public proof-of-concept code is available.
// Refer to the Spring Security Advisory for technical details:
// https://spring.io/security/cve-2026-22742
Detection Methods for CVE-2026-22742
Indicators of Compromise
- Outbound HTTP requests from Spring AI application hosts to link-local addresses such as 169.254.169.254 or RFC1918 ranges that the application has no business reaching.
- Application logs showing BedrockProxyChatModel processing media URLs whose hostnames are not on an expected allowlist.
- Unusual spikes in outbound DNS lookups originating from the Spring AI service account.
Detection Strategies
- Inspect web application logs for chat or completion endpoints carrying media URL fields pointing at internal hosts, loopback, or cloud metadata endpoints.
- Correlate egress firewall denies with the Spring AI service identity to surface SSRF probing.
- Audit dependency manifests (pom.xml, build.gradle) for vulnerable spring-ai-bedrock-converse versions.
Monitoring Recommendations
- Enable network flow logging on hosts running Spring AI and alert on connections to instance metadata service IPs.
- Monitor for HTTP 200 responses to internal-only services originating from the AI application tier.
- Track outbound request rate and destination diversity from the Spring AI process to detect enumeration attempts.
How to Mitigate CVE-2026-22742
Immediate Actions Required
- Upgrade spring-ai-bedrock-converse to version 1.0.5 or 1.1.4 as directed by the Spring Security Advisory.
- Restrict egress from Spring AI workloads using network policies that block link-local, loopback, and private address ranges.
- Enforce IMDSv2 with hop-limit 1 on AWS hosts to prevent cloud credential theft via SSRF.
Patch Information
VMware has released fixed versions 1.0.5 and 1.1.4 of Spring AI. Details and remediation guidance are published in the Spring Security Advisory for CVE-2026-22742.
Workarounds
- Disable multimodal message support in BedrockProxyChatModel if not required by the application.
- Implement an application-layer URL validator that enforces an allowlist of permitted hosts and rejects private, loopback, and link-local addresses before passing input to the model.
- Route outbound HTTP from the Spring AI service through a forward proxy that enforces destination policy.
# Example Maven dependency update to the fixed 1.1.x release
mvn versions:use-dep-version \
-Dincludes=org.springframework.ai:spring-ai-bedrock-converse \
-DdepVersion=1.1.4 \
-DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
